[tl;dr sec] #198 – Building a Detection as Code Pipeline, NIST on CI/CD Supply Chain Security, Finding Malware with LLMs

Between having a full time job and writing this newsletter, I can get a bit busy 😅 

So I’ve been reflecting on how I spend my time, the life I want to lead, and what I want to leave behind.

One metaphor I heard that I liked is that we have ~112 waking hours in a week, and you can imagine each hour like a chip that you get to “spend,” on work, friends, family, etc.

But there’s a finite number of chips and you can only spend each chip once.

Or this Bitcoin life advice:

I hope you’re regularly spending time on things and with people you find meaningful ✊ 

Nearly 95% of smartphones and IoT devices are powered by Arm processors, which is why we built a unique hypervisor, the Corellium Hypervisor for Arm (CHARM), to run virtual Arm devices on Arm servers.

• Easily spin up any combination of device, OS, and apps.

• Instant root access for iOS and Android, jailbreaks not required.

• Use powerful built-in security tools and integrate with your existing developer, security and DevOps tools.

Organizations of all sizes use Corellium to better meet the need for faster R&D and increased security for mobile application development and cyber security testing.

lico-n/ZygiskFrida
A Zygisk module that allows you to inject Frida (a dynamic instrumentation toolkit) gadgets into Android applications in a stealthier way. Gadgets are not embedded into the APK, so integrity and signature checks will pass. It also avoids ptrace detection.

Android Goes All-in on Fuzzing
Google’s Hamzeh Zawawy and Jon Bottarini share details on how Google performs fuzzing at scale, documenting their experiences, challenges, and successes in building infrastructure to automate fuzzing across Android. They utilize Clusterfuzz, an open-source continuous fuzzing framework, to run fuzzers continuously on Android devices and emulators.

Cyber regulation is heating up around the globe. In January of this year, it was announced that the Network and Information Systems (NIS) would get an overhaul. NIS2, the sequel to NIS, expands the initial 2016 regulation to eliminate inconsistency and establish a common set of cybersecurity standards and risk management practices. Learn more about NIS2 and how it may impact you and your organization.

fransr/postMessage-tracker
By Frans Rosen: A Chrome Extension designed to track postMessage usage (URL, domain, and stack). It provides both logging capabilities using CORS and visual indicators through an extension icon.

bist-security/cherrybomb
By BLST Security et al: A Rust-based CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them against an OpenAPI file to ensure compliance with OpenAPI Specification (OAS) rules, and running API security tests.

XMCyber/XMGoat
By Eng Soon et al: Terraform templates to help you learn about common Azure security issues. Each template is a vulnerable environment with some significant misconfigurations that you can attack and compromise.

awslabs/k8s-network-policy-migrator
By Sanjeev Ganjihal: A tool for migrating Calico or Cilium custom network policies to Kubernetes native network policies. The tool offers features such as pre-migration checks, policy collection and conversion, and more.

Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
Pinning your GitHub Action to a full commit SHA doesn’t mean you’re going to run the same code. Palo Alto’s Yaron Avital outlines a number of ways this could be the case, for example, if the Action uses a Docker container that isn’t pinned, a composite Action that lets you run bash or other Actions, a JavaScript Action that downloads an external script and doesn’t verify the checksum, etc.

Yaron calls these Actions “unpinnable,” and finds 32% of the 1,000 top starred actions on the GitHub Marketplace to be unpinnable.

google/fuzzing
By Max Moroz et al: A repository from Google hosting tutorials, examples, discussions, research proposals, and other resources related to fuzzing.

Part 2 includes explanations and code for creating CI/CD workflows to test the DAC pipeline, handling alert payloads with Tines, testing detections, validating the alert pipeline, and concluding with a practical use case of detecting & responding to suspicious Okta behavior.

Chrome extensions can steal plaintext passwords from websites
Honestly, this seems like a “works as intended” situation. The Google Chrome Manifest V3 for extensions does not introduce a security boundary between extensions and web pages, so a browser extension that can read the DOM of a page can potentially steal sensitive info like passwords.

The University of Wisconsin-Madison researchers found ~17,300 extensions in the Chrome Web Store (12.5%) have the needed permissions, and 190 extensions are already directly accessing password fields. I sure hope those are password managers 😅 

The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
If you have a credit card, a credit bureau likely has a lot of info about you. Hackers are selling access to that info (birth date, current and prior addresses, SSN, phone number) for $15 in Telegram groups, obtaining it via third-party services the credit bureaus have sold the data to, by posing as a private investigator, from data leaks, etc. Frustratingly, there’s little you can do about it, there just needs to be credit bureau reform.

1. Unminify and prettify the code.

2. Ask the LLM to describe the intent and a better name for variables.

3. Use Babel to do the renaming, which can effectively rename a JavaScript variable within its scope by operating on the code’s Abstract Syntax Tree (AST), preserving how the code works.

• 1800 artifacts from PyPi and npm → 34 flagged as malware, 19/34 true positives.

• “False-positives are predominantly due to incomplete and syntactically incorrect code snippets, which commonly happens if the prompt’s length restriction prevents us from uploading an entire file.”

• “GPT can be tricked with help of several simple techniques to change an assessment from malicious to benign, e.g., by using innocent function names, including comments that indicate benign functionality or through inclusion of string literals.”

• Analysis Improvements

  • The removal of comments in suspicious code snippets (using Pygments) reduced exposure to prompt injection.

  • Asked for 0-9 risk score instead of binary classification.

  • Increased the context size, which also benefits from comment removals.

• >90% of the time the two models rated within 1 point of the same score.

• GPT-4 outperforms the other models for non-obfuscated code – better risk ratings and source code explanations.

A few lists of… lists of LLM-based Agents 😅 

opstower-ai/llm-opstower
Ask questions about your AWS resources and perform calculations on CloudWatch metrics from the command line.

Gian’s Thoughts after watching Oppenheimer
“What are we even doing A/B testing button colors and making React behave when 80 years ago the pinnacle of technology was splitting atoms and ending world wars. 80 years ago a bunch of nerds in the middle of the desert turned academic papers into a war-ending device. Today we struggle making escalators work reliably.”

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them 🙏